Today I am on a quest to have all my applications running in Kubernetes containers connected to PostgreSQL to only use encrypted database connections. Earlier I did Sonarqube and posted
about it. Now let’s talk about Wikijs, which I am using for my wiki.
Needless to say that the Postgresql database server is already set for encryption and pg_hba.conf has proper entries.
Wikijs is based on node.js and that has its own rules about using SSL for the database encryption. Like with my Sonar setup, I don’t want to run full chain verification, only the traffic encryption does suffice for me. However Node.js is a bit fuzzy about it and simply enabling SSL like SSL:true will not work because it throws a tantrum about a self-signed certificate. What we need to do is tell it two more things: sslOptions: auto: <strong>false</strong> # rejectUnauthorized: false
This is documented here. How do we do it in a Kubernetes raw manifest: Using a config map and reference it in the deployment:
apiVersion: v1<br>kind: ConfigMap<br>metadata:<br> name: wikijs-config<br> namespace: wikijs<br>labels:<br> app: wikijs<br>data:<br> DB_HOST: "<db_host><br> DB_PORT: "5432"<br> DB_NAME: "<db_name>"<br> DB_USER: "<db_user"<br> <strong>DB_SSL: '{"auto":false,"rejectUnauthorized":false}'</strong>and the reference:
containers:
- name: wikijs
image: requarks/wiki:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3000
env:
- name: DB_TYPE
value: "postgres"
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: wikijs-config
key: DB_HOST
- name: DB_PORT
valueFrom:
configMapKeyRef:
name: wikijs-config
key: DB_PORT
- name: DB_NAME
valueFrom:
configMapKeyRef:
name: wikijs-config
key: DB_NAME
- name: DB_USER
valueFrom:
configMapKeyRef:
name: wikijs-config
key: DB_USER
- name: DB_SSL
valueFrom:
configMapKeyRef:
name: wikijs-config
key: DB_SSLReplace the values in with your real values.
Anything else goes as usual. This way, our traffic is encrypted and we are all good to go.
Happy coding!
Update
Turned out at the end this was not sufficient. The real solution is described in this blog post and is indeed fully tested. Another technical description can be found in my wiki.
Author Profile
Latest entries
blog27.02.2026ConfDroid Puppet Modules – Gitea- blog26.02.2026ConfDroid Puppet Modules – Postgresql
blog23.02.2026Secure & Smart – Pilot- blog18.02.2026Publishing Pipeline – Telegram
sunrider
Turns out there is more to the thing. The DB_SSL probably needs more settings. Running it like above does not throw an error, but when I remove the pg_hba entry for ‘host’ and only leave ‘hostssl’, the connection fails. Coming back to that again.